CVE-2026-50273
Awaiting Analysis Awaiting Analysis - Queue

Memory Exhaustion in Datadog .NET Tracer via W3C Baggage

Vulnerability report for CVE-2026-50273, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
datadog dotnet_tracer to 3.43.0 (exc)
datadog dd-trace-dotnet to 3.43.0 (exc)
datadog dd-trace-dotnet 3.43.0
datadog dd-trace-dotnet 3.48.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Datadog .NET Tracer library before version 3.43.0. It involves improper parsing of W3C baggage headers in HTTP requests, where the library does not enforce limits on the number of items or their size during extraction. This allows remote attackers to send specially crafted headers causing unbounded CPU and memory consumption in services using baggage propagation.

Detection Guidance

To detect this vulnerability, check the version of the Datadog .NET Tracer in use. If it is below 3.43.0, the system is vulnerable. Commands to check the version include inspecting NuGet packages in .NET projects or reviewing deployment logs for the tracer version.

Impact Analysis

An attacker could exploit this to perform a denial-of-service (DoS) attack against any internet-facing HTTP service using an affected Datadog .NET tracer. This may lead to service slowdowns, crashes, or complete unavailability due to excessive resource consumption.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by enabling denial-of-service attacks that disrupt service availability. GDPR requires data processing systems to ensure availability and resilience, while HIPAA mandates safeguards against service disruptions. Exploitation of this flaw could lead to prolonged downtime, potentially violating these requirements.

Mitigation Strategies

Upgrade the Datadog .NET Tracer to version 3.43.0 or later. Alternatively, disable baggage extraction or configure upstream proxies or web servers to limit HTTP request header sizes as temporary mitigations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart